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Abstract 

Consider a communication network represented by a directed graph Q = (V, £), where V is the set of nodes and £ is the set 
of point-to-point channels in the network. On the network a secure message M is transmitted, and there may exist wiretappers 
who want to obtain information about the message. In secure network coding, we aim to find a network code which can protect 
the message against the wiretapper whose power is constrained. Cai and Yeung |6l studied the model in which the wiretapper can 
access any one but not more than one set of channels, called a wiretap set, out of a collection A of all possible wiretap sets. In 
order to protect the message, the message needs to be mixed with a random key K. They proved tight fundamental performance 
bounds when A consists of all subsets of £" of a fixed size r. In this paper, we investigate the problem when A consists of arbitrary 
subsets of £ and obtain the following results: 1) an upper bound on H{M); 2) a lower bound on H{K) in terms of H{M). The 
upper bound on H[M) is explicit, while the lower bound on H(K) can be computed in polynomial time. The tightness of the 
lower bound for the point-to-point communication system is also proved. 

Index Terms 

Information inequality, perfect secrecy, performance bounds, secure network coding. 

I. Introduction 

IN classical information-theoretic cryptography, when we need to send a private message to a receiver in the presence of 
wiretappers, in order to protect the message, we encrypt the message with a random key and send the ciphertext to the 
receiver. A wiretapper who has no access to the key can know nothing about the message by only observing the ciphertext, 
in the sense that the ciphertext and the message are statistically independent. On the other hand, the receiver obtains the key 
via a "secure" channel and use it to decrypt the ciphertext to recover the private message. The best known such model is the 
one-time pad system studied by Shannon fT2\, which requires the minimal amount of randomness for the key. 

The one-time pad system was generalized to secret sharing by Blakley [41 and Shamir [21 1. Ozarow and Wyner |fT9l also 
studied a similar problem which they called the wiretap channel II. In this model, information is sent to the receiver through 
a number of point-to-point channels. It is assumed that the wiretapper can access any one but not more than one set of 
channels, called a wiretap set, out of a collection A of all possible wiretap sets, where A is specified by the problem under 
consideration. For example, A could be the collection of all wiretap sets each containing a single channel. In this case, the 
wiretapper can access any one but not more than one channel. The strategy to protect the private message is the same as that in 
classical information-theoretic cryptography. Specifically, the private message and the random key are combined by means of a 
coding scheme, so that a wiretapper observes some mixtures of the message and the key, where these mixtures are statistically 
independent of the message. On the other hand, the receiver node can decode the message from the information received on 
all the channels. 

Cai and Yeung [61 generalized secret sharing to secure network coding, in which a private message is sent to possibly more 
than one receiver through a network of point-to-point channels. The model they studied, which we refer to as the wiretap 
network (see also El Rouayheb and Soljanin [20|), is described as follows. In this model, the assumptions about the wiretapper 
and the strategy to protect the private message are the same as in the wiretap channel II. The only difference is that there exist 
intermediate nodes in the network that can encode, and there may be more than one receiver node. The solution is that we 
send both the private message and the key via a network coding scheme, so that a wiretapper can only observe some mixtures 
of the message and the key, where the mixtures are statistically independent of the message. On the other hand, a receiver 
node can recover the private message by decoding the information received from its input channels. Note that when A is the 
empty set, the wiretap network reduces to the original network coding model studied in Ahlswede et al. 

In dSl, a condition for the existence of secure linear network codes was proved and a construction of such codes was 
proposed. Feldman et al. f9l proved an equivalent existence condition and extended the code construction in |6J. In ||20J . 
El Rouayheb and Soljanin regarded the secure network coding problem as a network generalization of the model in wiretap 
channel II and showed that the transmitted information can be secured by using the coset coding scheme in [19 | at the source 
on top of the existing network code. Moreover, their code is equivalent to the code in In Silva and Kschischang |23|, a 
universal coding scheme based on the approach in |20| was proposed to apply on top of any communication network without 
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requiring the knowledge of the underlying network code. In Cai & Yeung Q and Zhang & Yeung ||28l . a general security 
condition for multi-source network code was presented. 

The performance of a secure network coding scheme is measured by two quantities: the size of the message and the size 
of the key. In designing a secure network coding scheme, we want to maximize the size of the message and at the same time 
minimize the size of the key. The latter is necessary because in cryptography, randomness is regarded as a resource. In f6|, 
it was shown that when the collection A of all wiretap sets consists of all subsets of channels whose sizes are at most some 
constant r, an upper bound on the size of the message and a lower bound on the size of the random key were obtained. Both 
of these bounds are tight for this special case. In this paper, we extend these bounds to the general case. 

When A is arbitrary, Cui et al. |8| studied the secrecy capacity under the wiretap network model. They showed that the 
cut-set bound is not achievable in general when the wiretap set is unknown, whereas it is achievable when the wiretap set is 
known before the communication. Some achievable strategies are proposed and the computational complexity to determine the 
secrecy capacity is proved to be NP-hard. 

Secure network coding was also generalized from different perspectives. Bhattad and Narayanan ||3] introduced weakly 
secure network coding, where it is required that wiretappers cannot decode any part of the source message. In this model, 
a weakly secure network code can be used to avoid trading off the throughput. In ifTTl . Harada and Yamamoto studied the 
strongly r-secure linear network code which can protect the source message such that a wiretapper can obtain no information 
about any s components of the source message by accessing n — s channels provided that the maximum flows to all the sink 
nodes are at least n, where s < n — r. A polynomial-time algorithm was proposed to construct the strongly r-secure linear 
network code. They also showed that strong security contains weak security as a special case. 

Secure network coding with error correction was studied by Ngai and Yeung [181, where they proposed a construction of 
secure error-correcting (SEC) network code which can protect the message from wiretapping, random errors and errors injected 
by the wiretapper. They further showed the optimality of their construction. 

From a different point of view, Lima et al. 1 16| analyzed the security of the network with the assumption that all the nodes 
comply with the communication protocol, but yet are potential eavesdroppers. In Jaggi et al. |13 | and Ho et al. |12|, detection 
of Byzantine attacks in the network coding framework was discussed. 

For practical scenarios, secure network coding for multi- resolution wireless video streaming was considered in Lima et al. 
1151. A joint investigation of network cost and network security was presented in Tan and Medard I24i . They also presented 
some experimental results regarding the tradeoff between network cost and network security. 

II. Problem Formulation 

In this work, we focus on the wiretap network model proposed in ||6l and aim to obtain some new performance bounds. 
Denote the network hy Q = (V, £), where V is the set of nodes and £ is the set of edges, each representing a point-to-point 
channel in the network. In this work, we use the terms "edge" and "channel" interchangeably. On each edge e a symbol from 
some transmission alphabet F can be transmitted. In this sense we say that each channel has unit capacity. We assume that Q 
is a directed acyclic multigraph, namely there can be multiple edges between each pair of nodes. 

A wiretap network consists of the following components: 

1) Source node s: The node set V contains a node s, called the source node, where a random message M taking values in 
an alphabet A^, called the message set, is generated. 

2) Set of user nodes U: A user node is a node in V which is fully accessed by a legal user who is required to receive the 
random message M with zero error. There is generally more than one user node in a network. The set of user nodes is 
denoted by U. For each u €U, let maxflow{u) denote the value of a maximum flow from the source node s to node u. 

3) Collection of sets of wiretap edges A: ^ is a collection of arbitrary subsets of the edge set £. Each wiretapper can access 
any A G A but not more than one subset in A at the same time. 

We denote such a wiretap network by the tuple {Q, s, U, A). 

A. Admissible Code 

We assume that the message Al is generated at the source node according to an arbitrary distribution on the message set 
M. Let K he a random variable independent of M, called the key, that takes values in an alphabet K. according to the uniform 
distribution. 

For each node v of the network Q, we denote the set of the input edges and the set of the output edges of v by In{v) and 
Out{v), respectively. A code for a wiretap network consists of a set of local encoding mappings {0e : e e such that for all 
e, (pe is a function from x /C to F if e e Out{s), and is a function from to F if e G Out{t) for t 7^ s. For e € £, 

let Ye be the random symbol in F transmitted on channel e; i.e., the value of (f)^. For a subset B of £, denote {Yg : e € B) 
hyVB. 

To complete the description of a code, we have to specify the order in which the channels send the indices, called the 
encoding order Since the graph Q is acyclic, it defines a partial order on the node set V. Then the nodes in V can be indexed 
in a way such that for two nodes t and t', if there is a channel from node t to node t', then t < t'. According to this indexing. 
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node t sends indices in its output channels before node t' if and only if t < t'. The order in which the channels within the 
set of output channels of a node send the indices is immaterial. The important point here is that whenever a channel sends an 
index, all the indices necessary for encoding have already been received. A code defined as such induces a function from 
X X /C to for all user nodes u £ U, where the value of denotes the indices received by the user node u in its 

input channels. 

In the wiretap network model, a code {(p^ e E £} should satisfy the following two conditions: 

1) decodable condition: For all user node u eU and all m,m' G A4 with m ^ m', 

$„(m,fc) ^ $„(m',fc') 

for all k, k' G IC. This guarantees that any two message are distinguishable at every user node. 

2) secure condition: the message should be information-theoretic secure, namely for all A E A, 

H{M\Ya) ^ H{M). (1) 

We refer to a code satisfying 1) and 2) as an admissible code. 

For an admissible code, we focus on the following two performance parameters, the size of the message and the size of the 
key: 

1) the size of the message is measured by H{M), which should be maximized; 

2) the size of the key is measured by H{K), which should be minimized. 

B. Related Works 

For set A (~ B, \f \A\ — r, then we refer to it as an r-subset of B. In |!6|, the following result was obtained. 

Theorem 1. Let q be the size of the transmission alphabet F, A consist of all the r-subsets of £ and n = minmaxflow(u). 
Then 

1) H{M) < {n-r)\ogq; 

2) HiK) > ^,H{M). 

Moreover, when F is a finite field, there exists a linear admissible code which can achieve equalities in these two bounds 
simultaneously; i.e., the size of the message is maximized and the size of the key is minimized . 

However, when A consists of arbitrary subsets of £, the problem becomes very hard and very little is known about the 
fundamental performance limit. In this work, we investigate this problem and obtain some bounds. 

III. Blocking Sets and Wiretap Sets 
In this section, we introduce some notations and theorems in our proof. 

Definition 1. For a network Q = (V, £), we denote a cut (graph cut) of Q by {W, W^), where W ^ V contains the source 
node s and — V \ W contains the destination node t, and denote the set of edges from W to by E{W, W), which 
is also abbreviated to Ew- 

We first state in the next lemma two key inequalities obtained in Q. 

Lemma 1. In the network Q — (V, £), let {W, W^) be a cut of Q. If there exists an admissible code on Q, then for any wiretap 

set I C Ev/, we have 
(Ai) H{M) < H{Ye„\i\Yi); 
{A2) H{K)>H{Yi). 

The inequality [Ai) was used in |6| to prove 1) and 2) of Theorem [T] The inequality {A2) was proved but no further 
interpretation was provided. In this section, we extend these two inequalities to a more general situation. 

Definition 2. In the network Q — (V,£), a set J C £ is called a blocking set if and only if there exists a cut (W, W^) such 
that E{W, W) C J. 

The blocking set is a generalization of the graph cut. Let u GlA. Since the message M can be decoded at user node u and 
the symbols received at node u are functions of Ye^-, where is a cut and Ey/ is a subset of the blocking set J, we obtain 
that M is a function of Yj, namely 

H{M\Yj) = 0. (2) 
Proposition 1. Let A,B c£ such that B C A. If H{M\Ya) = H{M), then H{M\Yb) = H{M). 
Proof: If H{M\Ya) = H{M), and B Q A, then 

H{M\Yb) > H{M\Ya) = H{M). 
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On the other hand, 

H{M\Yb) < H{M). 

Hence 

H{M\Yb) = H{M), 

which completes the proof. ■ 
The next lemma is a simple generaUzation of Lemma [1] which we will see is a very useful tool for obtaining performance 
bounds for a general secure network coding problem. 

Lemma 2. In the network Q = (V, £), let J Q £ be a blocking set. For any admissible code on Q and any wiretap set I C J, 
we have 

(Bi) H{M)<H{Yj\i\Yi); 
{B2) H{K) > H{Yi). 

Proof: Since J is a blocking set, we obtain that 

H{M\Yj) = 0. (3) 
Since / C J is a wiretap set and the code is secure, we have 

H{M\Yi) = H{M). (4) 

It follows that 

H{M) = H{M\Yi) - H{M\Yj) 
= I{M-Yj\j\Yi) 
< H{Yj\j\Yi), 

which completes the proof of (-Bi). 

Since H{Yi\M,K) = 0, / C J, and H{Yi) = H{Yi\M), we obtain that 

H{Yi) = H{Yj\M)-H{Yi\M,K) 

= I{Yi;K\M) 

< H{K\M) 

= H{K), 

which completes the proof of (i?2)- ■ 

IV. An Upper Bound on the Message Size 
From Lemma |2] we can immediately obtain an upper bound on H{M). 

Corollary 1. Let the size of the transmission alphabet F be q. Let J be a blocking set and I Q J be a wiretap set. For any 
admissible code on Q, 

H(M) < min |J\/|logg. (5) 

~ JJ-.ICJ 

Proof: By (Bi) of Lemma |2] we have 

HiM)<H{Yj\j\Yi) 
< H{Yj\i) 

<\J\I\\ogq. (6) 
Then the corollary is proved by minimizing over all J, / such that I C J. 

H(M) < min \J\I\\ogq. 

■ 

From this bound, we see that if J \ / = 0, then the upper bound above vanishes, which implies H{M) = 0. This means 
that if there exists a wiretap set I that contains a cut as its subset, then the network cannot send any message, because J can 
be taken to be / so that | J \ /| =0. 

Next we present two theorems for computing the upper bound on H{M). 



Lemma 3. For any fixed wiretap set I, 
where mincut(£ \ I) is the minimum cut of graph (V, £ \ I). 



min I J \ /I = mincut(£ \ I), (7) 

J-.ICLJ 
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Proof: Let {W, W^) be a graph cut and Ew be the edges across the cut. Then Jw = Ew |J / is a blocking set. If we 
consider only such blocking sets Jw for J in (|7J, we have 

min I J \ /I < min \Jw \ I\ 
JJJCJ j„, 

= min \Ew\I\= mincut(f \ I). (8) 

The last equation is due to the fact that Ew \ I corresponds to the set of edges across a cut of £ \I, and vice versa. 
Conversely, let Jo be a blocking set including / that minimizes | J \ /|, and Ew ^ Jo- Then 

^min ^\J \ I\ ^\ Jo \I\>\Ew\I\ 

> min \Ew \ /| = mincut(£: \ I). (9) 

Ew 

Together with (O, we can conclude the proof. ■ 
From Lemma [51 we obtain the following corollary. 



Corollary 2. 



min I J \ /I = minmincutff \ I). 

JJJCJ ' I 



By means of this corollary, since the mincut of a graph can be computed in 0(|V| • \£\) number of steps, we can compute 
the upper bound on H{M) in Corollary [T] in 0(|/| • |V| • \£\) number of steps. 

V. Information Inequalities for Joint Entropy 

In this section, we state and explain some information inequalities that are instrumental in the proofs in this work. 
Let [n] — {1,2, n}. For a subset a C [n], denote (X;, i G a) by X^- Let a = [n]\a. In information theory, the following 
independence bound for joint entropy (e.g, p. 29 in ll26l ) is well known. 

n 
i=l 

This inequality provides an upper bound on the joint entropy H{X^n]) in terms of the entropies of the individual random 
variables. It is tight when the random variables Xi, ...,X„ are mutually independent. 

A. Han 's Inequalities 

Han 1 10] generalized the independence bound to two sequences of inequalities, which are stated in the next two theorems. 
Theorem 1. For k ~ \, 2, . . . , n, let 

' a: |a| — 

Hn<H^-i<---<H,. (10) 



Then 



In this theorem, 

1 1 " 

7^ L J ^ f ^ 



n 
1=1 



is equivalent to the independence bound. This sequence of inequalities was used in ||27l to prove a converse coding theorem 
in multilevel diversity coding. 



Theorem 2. For k ~ 1, 2, . . ., n, let 

- -pry 

Oi.:\o(\ — k 



TT, _ 1 Y- H(X^\Xi,) 



Then 

g{ < ^2 < ■■■ < = ■ (11) 

n 

This sequence of inequalities was used in proving 2) in Theorem [l] 
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B. Madiman-Tetali's Inequalities 

In Han's inequalities, the term Hk (Hj^) only involves the joint entropy (conditional joint entropy) of the k-subsets of 
X[n]- These inequalities have recently been generalized by Madiman and Tetali [17|. In the following, let C be an arbitrary 
collection of subsets of [n]. 

Definition 3. A function a: C is called a fractional covering if X^seC ies '^(*) — ^ ^i^ch i G [n]. 

Definition 4. A function /3 : C ^ i?+ is called a fractional packing, if ^seC ies (^(^) — 1/""" ^och i G [n]. 
Tlieorem 3. For any collection C of subsets of [n], any fractional covering a and any fractional packing /], 

^/3(s)i/(X,|X,o) <i/(X[„]) < ^a(s)i?(X,). (12) 

sec sec 

In the rest of this work, we refer to the left hand side of the inequality as the fractional packing inequality and the right 
hand side of the inequality as the fractional covering inequality. 

Example 1. Let n ^ 3 and C = {Ci, C2, C3}, where Ci ^ {1, 2}, C2 = {2, 3} and C3 = {1, 3}. 
By Han 's inequalities, we obtain that 

< \h(X^^2) + \h{X2,z) + \h(X^^i). (13) 
By Madiman-Tetali's inequalities, we obtain that 

PlH{Xi^2\X^) + l32H{X23\Xl) + /33-ff(X3,l|X2) 

< ^^(^1,2,3) 

< aiH{Xi^2)+a2H{X2,z) + azH{X^,i) (14) 

holds for any fractional covering a and any fractional packing j3, namely 

ai, a2, Q!3 > 0, Q!i + 0:3 > 1, 0:2 + ct3 1. q;3 + ai > 1; 
/3i,/32,/33 > 0, /3i + /33 < 1, /32 + /33 < 1, /Ss + /3i < 1. 

In particular, when ai ~ ^ and /3i = \ for all i = 1,2,3, l\14i becomes ( liil ). This shows that Madiman-Tetali's inequalities 
are more general than Han 's inequalities. 

When Ci ~ {1,2}, C2 — {2,3}, C3 — {2}, Han's inequalities are not applicable, while by Madiman-Tetali's inequalities, 
we have 

/?li/(Xl,2|X3) + p2H{X2^^\Xi) + /?3H(X2|Xi,3) 

< -^^(^1.2,3) 

< aiH{Xia) + a2H{X2,:i) + a:iH{X2), (15) 

where 

Oil > 1, cki + a2 + 03 > 1, a2 > 1, and ai, 012, 0:3 > 0; 
/3i < 1, A + /32 + /?3 < 1, P2 < 1, and /3i,/32,^3 > 0. 

Recently, Jiang et al. [J4J have applied these inequalities to multilevel diversity coding. 

VI. The Fractional Packing Bound 
In this section, we prove a lower bound on H{K) by means of the fractional packing inequality in (fT2l) . 

Tlieorem 4. Fix a blocking set J and let /? be a fractional packing of {J\I '■ I Q J}, then 

H{K) > max J \ /) - 1 j H{M) (16) 

Proof: By {Bi ) of Lemma |2l we have 

H{M) < HiYj\j\Yi). (17) 

By inequality (fT2|) . we obtain 

E fi{J\I)H{M) < E l3{J\I)H{Yj\j\Yi) < H{Yj). 

ICJ IC.I 
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Hence, 

H(Yj)>Y,l3{J\I)H{M). (18) 

ICJ 

Then, 

H{M) + H{K) > H{M,K) 

= H{M,K,Yj) 

> HiYj) 

> 5^/3(J\/)i7(M). (19) 

JCJ 

This implies. 



H{K) > ^ (3{J\I)-l] H{M). (20) 
Since (|20| holds for any fractional packing /3, we have 



,ICJ 



H{K) > I max^ /?(J \ /) - 1 | H{M), (21) 



7CJ 

which completes the proof. ■ 
In order to evaluate the lower bound on H{K), we need to consider the following LP (linear program), 

max PiJ \ I) (22) 

7C,7 

■^■t- EiGj:ej\i(3iJ\l)<hyieJ. 

In the following discussion, we define r(J) = max ^ /3(J \ /) — 1 for a fixed blocking set J, and let t = maxT(J). Since 

1^ ICJ J 

in any {f3{J \ /) : / C J} satisfying 

/3(J\/)>0, ^ /3(J\/) = 1 

/:/CJ 

is a feasible solution, we obtain that t( J) > and r > 0. 

Corollary 3. t(J) > if and only if for each edge e G J, e is covered by some wiretap sets. 

Proof: If e G J is not covered by any wiretap set, then for all wiretap set /, e e J \ /. By the LP in (|22|) . we obtain that 

d 

the constraint from edge e is ^ /3i < 1, where d is the number of wiretap sets. This constraint dominates any other constraint, 

i=l 

d 

and the maximum is attained when this bound is tight. Hence, t{J) — ^ /S^ — 1 = 0. 

i=l 

Conversely, assume that for all e G J, it is covered by at least one wiretap set. Fix e, and we can assume that, without lost 
of generality, e G /i. Then we have e ^ J implying that the number of sets J \ Ij {j ^ 1) which cover e is at most 

d 

d—\. Let jii — for \ <% <d. Then fii is a feasible solution, and hence t(J) > A ^ 1 — l/l*^ — 1) > 0. ■ 

2=1 

In the network Q = (V, £), when we try to find the lower bound on -^jjpj, if an edge e = (u, u) G £ is not covered by any 
wiretap set, we can directly send messages from u to ?; through e without mixing them with any key. By this means, we can 
merge nodes u, v into a new node vq, and delete all the edges between u and v. If we repeat this procedure, we can eliminate 
all such edges. Therefore, we can assume without loss of generality that each edge is covered by at least one wiretap set. 



VII. An Alternative Bound 

In the last section, we proved a lower bound on H{K) in terms of fractional packings of { J \ / : / C J} for all blocking 
sets J. In this section, we prove an alternative lower bound on H{K) in terms of fractional coverings of {/ : / C J}. In the 
next section, we prove a duality result between fractional packing and fractional covering that implies the equivalence of these 
two bounds. In this section, we derive another lower bound on H{K). 

Fix a blocking set J. By {B2) of Lemma |2] for any wiretap set I C J, we have 

HiK) > H{Yi). (23) 
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Let a be a fractional covering of {/ : / C J}. By the fractional covering inequality in (fT2|) . we obtain that 

H{Yj) < o^{I)H{Yi) < a{I)H{K). (24) 

/CJ /CJ 

Together with (fTSj) . we further obtain 

J2 P{J \ < H{Yj) < Y a{I)H{K). (25) 

/CJ /CJ 

Then „ , , , 

/CJ 

Maximizing over all (3 and minimizing over all a, we obtain another lower bound on H{K) for a fixed J: 

max E (3{ J \ I) 

H{K) > H{M). (27) 

mm ot{J-) 

" /CJ 

The maximization in the above has been considered in Section |VT] Thus in order to evaluate the above lower bound on H{K), 
we also need to consider the following LP: 

min (28) 
^■t E/cj:.e/«W>l'^*e J. 

VIIL A Duality Result 
In this section, we prove that (|27|) is equivalent to (fT6)) . 

Theorem 5. Given a blocking set J, then 

max P{J \ 1) 



/ \ max ^ I: 
max V /3( J \ /) - 1 = 



a{I) ' 

J 

where a is a fractional covering of {I : I C J} and l3 is a fractional packing of { J \ / : / C J}. 

In the following discussions, let lc{J) — min J2 '^i^) ^^d lp{J) = max ^ /3(J \ /), where a is a fractional covering of 

" /CJ /3 /CJ 

{/ : / C J} and /3 is a fractional packing of { J \ / : / C J}. 

Proof (Theorem^: In this proof, since J is fixed, we can use Ic and Ip instead of lc{J) and lp{J) without ambiguity. 
We need to prove 

Ip^l^^f, (29) 
Ic 

namely 

lc = r^ or Ip^-^. (30) 

Let Ji, /2, . . . , /j be the wiretap sets in J. 

(1) Let a =argmin< ^ q;(/) > and a.i = and define for 1 < i < d, 

[icj J 

d 

sum — Y '^i Pi — 



sura — 1 ' 
i=l 



Next, we prove that {(3i : 1 < i < rf} is a feasible solution to the LP in (|22|) and /3( J \ /j) = 

For each e £ J, we can assume without loss of generality that /i, ■ ■ ■ , Ij are the sets containing e and /j+i, . . . , /j be 
the sets not containing e. Since {at : 1 < z < d} is a fractional covering, J2 Oi{Ii) > 1. Since for all e G J, e ^ J \ Is, 
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for 1 < s < j and e E J\ Ig, for j + 1 < s < d, we have 



-■^ — ' ^ — ' sura — 1 sura — 1 



sum — ^ a{Ii) 



sura ~ 1 

< T = 1. 



Since Ip is the maximum value. 



sum — 1 sum — 1 

Ic 



/p>E/^^ = ^^-r^- (31) 

-'^^ — ^ 5Um — 1 £(7 — 1 

i=l 

(2) Let ^ =argmax| P{J \ ^)| and /3, = ^(J \ /,), and define for 1 < i < d, 

d 

swm = /3, and a,- = — 

i=l 

Next, we prove that {a^ : 1 < z < d} is a feasible solution to the LP in ( |28] l and Q!(/i) = 0;^. 

For each e G J, we can assume without loss of generality that /i, . . . , Ij are the sets containing e and /j+i, . . . , Id 

d 

be the sets not containing e. Since : 1 < i < d} is a fractional packing, ^ /3(J \ li) < 1. Since for all e G J, 

i=i+l 

e ^ J \ Is, for 1 < s < j and e E J \ Is, for j + 1 < s < d, we have 



=1 



sum — 1 sura — 1 
i— 1 

sum- J2 

i=j+i ^ sum — 1 



sum — 1 sum — 1 

Since Ic is the minimum value, 

d _____ , 



Esum Lp 
a^ = - (32) 

sum — 1 t p — i 

By (|3T|) and (|32t , we obtain /^Zp > /c + ^c^P' namely Z^Zp = Ic + lp, which completes the proof. 

■ 

By Theorem m and |5] we obtain 
Theorem 6. Fix a blocking set J and let a be a fractional covering of {I : I J}, then 

H{K) > max j H{M). (33) 
/cj 

By (|30)) , we can write the lower bound in Theorem |4] or |6] as > j^jUj- and consider only the LP in ( |28] |. Since 

T = maxl/(/c(d^) — 1) = max(Zp(J) — 1), we need to find min Zc(J) or maxZp(J). In the following sections, we refer to 
these two bounds as the fractional covering bound and the fractional packing bound, respectively. 



IX. Some Properties of the Lower Bound 

We consider the matrix form of the LP in (|28|) for the fractional covering. Let Ii, I2, ■ ■ ■ , Id be the wiretap sets. For each 
blocking set J, we construct a | J| x d matrix Aj to represent the edges in J. Let e/, 63, • ■ • , ej^i be the edges in J. If ef £ Ij, 
then Aj{i,j) — 1, else Aj{i,j) = 0. Each column of Aj corresponds to a wiretap set, and each row of Aj corresponds to an 
edge in J. 

We can now write the LP in (|28|) and its dual as follows: 

LP : min l^x Dual : max l^y 

s.t Ajx > 1 s.t A^y < 1 

a; > y>0 
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The strong duality theorem in linear programming (Theorem [13] in the appendix) states that the LP and its dual problem have 
the same optimal value. 

When we try to solve the above LP, we need to consider some special relations among the wiretap sets and the blocking 
sets, namely a wiretap set is a subset of another wiretap set, or a blocking set is a subset of another blocking set. We discuss 
these issues in the following. 

Corollary 4. For a given blocking set J, if wiretap sets li and Ij satisfy Ii C Ij C J, then li can be ignored in the model. 

Proof: For wiretap sets li, Ij C J, if /j C Ij, then the /th and jth column of Aj satisfy Aj < A'j componentwise, which 
implies in the dual problem the constraint (Aj)^i/ < 1 is dominated by the constraint {A'jY'y < 1. Thus we can ignore the 
column A J in Aj, or equivalently, the wiretap set li. ■ 
In the following discussion, we assume that li {I < i < d) is not a subset of any other wiretap sets. 

Corollary 5. If the blocking sets J', J satisfy J' C J, then t{J) < t{J'). 

Proof: By definition, if J' C J, then Aji is a submatrix of Aj. By comparing the linear programs for J' and J, we 
notice that the two objective functions are the same, but the feasible region of J is a subset of that of J', because Aji is 
a submatrix of Aj. Since we need to obtain the minimum value of the objective function, we have lc{J') < lc{J)^ where 
lc{J') and IciJ) are the optimal values for J' and J, respectively. Then r(J') = l/{l{J')c - 1) > l/(^('^)c - 1) = t{J), 
which concludes the proof. ■ 
This corollary implies that toward computing r = maxT(J), if J' C J", then J" can be ignored. In particular, since each 

blocking set contains a graph cut (also a blocking set), toward computing r, we only need to maximize over all graph cuts 
between the source and destination nodes. 



X. Algorithms for Computing the Lower Bound 

A. A Brute Force Algorithm 

Based on the above discussion, we propose a brute force algorithm, namely that we enumerate all the graph cuts and solve 
the corresponding LPs (e.g., by the simplex algorithm). Then the time complexity is 2^^^0{LP), where 0{LP) is the time 
complexity of the LP; e.g., the interior point algorithm can terminate in 0{m^n + m^) arithmetic operations, where m is 
number of constraints and n is the number of variables. 

Theorem 7. Sperner's Theorem l[25]l : If Ai, A2, A,n are subsets 0/ {1, 2, n} such that Ai is not a subset of Aj 
if i ^ j, then m < (pj)- 

When solving the LP, the primary factors of the complexity are the number of variables and constraints, namely the number 
of wiretap sets d and |J|. By Theorem |7] since for every two wiretap sets and Ij, li is not a subset of Ij if i ^ j, we 
obtain d < ( [ jI ) . 

In this algorithm, the total complexity is exponential, which is not practical when the problem size is large. Next we propose 
an algorithm which is polynomial when d is constant. 



B. A Polynomial Algorithm 

In this part we show that when the number of wiretap sets, d, is a constant, there exists a polynomial algorithm for computing 
the lower bound. In the following discussion, we use some definitions and theorems in linear optimization which are given in 
the appendix. 

In the above brute force algorithm, we consider every blocking set J and solve the following linear program for J: 

LP(J) : min 1^ x 

s.t. Ajx > 1 

x>0,xeR'^. 

If we let A'j = ( I and bj ^ ( ), where Idxd is the d x d identity matrix, then the above constraints can be 

\ ^dxd ) \ y 

written as NjX > bj. 

Let P = {x £ \ Ajx > l,x > 0}. Since x = Id £ P, P is nonempty polyhedron. Since A'j contains Idxd as a 
submatrix, we see that there exist d rows of A'j which are linearly independent. So by Theorem [TT] (in the appendix), the 
polyhedron P has at least one extreme point. Since x > 0, the optimal value is nonnegative, and hence not equal to —00. By 
Theorem [12] there exists an extreme point which is optimal. Let x*{J) denote an extreme point (not necessary unique) that 
gives the optimal solution. Then by Theorem [TO] x*{J) is a basic feasible solution. A straightforward method to find x*{J) is 
to enumerate all the basic solutions of LP{J), and check whether the basic solutions are feasible or not. In order to enumerate 
all the basic feasible solutions, we consider all d x d submatrices of A'j. For such a submatrix S, there is a corresponding 
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basic solution if and only if rank(S') = d, and if so, denote this basic solution by xs- Then a basic solution 2:5 is feasible if 
^'j^s > bj. Among all these basic feasible solutions, a;* (J) is the one that attains the minimum value. 
To sum up, we draw the following conclusion. 

Condition 1. For blocking set J, the optimal solution can be obtained by solving one of the equations: Sx = bs, where S is 
a d X d submatrix of A'j and bs is the corresponding subvector of bj. 

Furthermore, to obtain the best lower bound on ^j^, we need to solve the linear program to obtain the optimal value for 
each blocking set. Then take the minimum of these optimal values over all blocking sets to obtain the best lower bound. This 
can be achieved by repeating the procedure in Conclusion 1. 

The method described above is inefficient because if 5 is a submatrix of both A'j_^ and A'j^ for two different blocking sets 
Ji and J2, the exact same processing of S would be performed twice. In the remaining of this section, we aim to improve 
the method by removing such redundant operations. 

In the method described above, if we obtain the best lower bound on from blocking set J, we refer to the optimal 

value and the optimal solution of LP{J) as the best optimal value and the best optimal solution. Recall that for each blocking 
set J, since J C f , A'j is a submatrix of A'^ {£ is a blocking set so A'^ is defined accordingly). Then we can draw another 
conclusion. 

Condition 2. Consider the best lower bound on in network Q = (V, £). The best optimal solution can be obtained by 

solving one of the equations Sx — bs, where S is a d x d submatrix of A'^ and bs is the corresponding subvector of bg. 

Definition 5. For each blocking set J, let Qj be the set of all basic feasible solutions of LP {J), and let Q ^ [J Qj. 

J 

Let 7 = O^it''')- By Conclusion 12] the best optimal value is min l^x. If we compute the set Q by means of the prescription 

in Definition |5] we need to enumerate all the blocking sets, and hence the computational complexity is exponential in \£\. But 
we notice that matrix A'^ has 7 submatrices with dimension d x d and each of them corresponds to at most one basic feasible 
solution, and so |Q| < 7. When rf is a constant, 7 is polynomial in \£\, which suggests that if we compute Q by enumerating 
these ^ d X d submatrices, we may obtain an algorithm which is polynomial in \£\. By the definition of Q, for each d x d 
submatrix 5, if rank(5) < d, we cannot obtain a basic solution from Sx = bs- Therefore, we only need to consider S such 
that 

1) rank(S') = d. 

When S satisfies 1), Sx = bs has a unique solution, which we denote by xs- In the sequel, whenever we discuss xs, we 
implicitly assume that S satisfies 1), otherwise xs is undefined. If xs is feasible for some blocking set J, namely A'jXs > bj, 
then Xs satisfies 

2) xs > 0. 

Let Q' be the set of all xs satisfying 2). Then Q Q Q' and Q' can be computed in polynomial time. Now we need to solve 
the following problem: if a; G Q' , what is the necessary and sufficient condition for x G Ql 

For each edge e e £, let {a'^Y' denote the row of Ag corresponding to e. For each xs E Q', let ^(5*) = {e G £\{a'^)'^xs > !}■ 

Theorem 8. Let xs G Q'. Then xs E Q if and only if F{S) is a blocking set. 

Proof For xs G Q' , if xs € Q, then xs is a basic feasible solution of LP{J) for some blocking set J. By 
^'j^s > bj, we obtain that for each e G J, {a^)'^xs > 1, which means e G F{S), implying J C F{S). Hence F{S) is a 
blocking set. 

Recall that A'^ = ■' ) . For a d X d submatrix S of A'^, let Es be the set consisting of all e G f such that e 

\ ^dxd ) 

corresponds to a row of S. By the definition of xs, we have that for each e G Es, {0!^)^ xs = 1, which means that e G F{S), 
implying that Es C F{S). Let J = F{S). Then J is a blocking set. For e G J, {a'')'^xs > 1, namely Ajxs > 1. Together 
with Xs > 0, we have A'jXs > bj. Since Sxs = bs and 5* is a d x c? submatrix of A'j, xs is a basic feasible solution of 
LP{J), and hence xs E Q- ■ 

By Theorem [8] for xs G Q', in order to determine whether xs G Q, we only need to check whether F{S) is a blocking 
set. This can be done in polynomial time as follows. In the graph Q = {V,£), upon deleting all the edges in F{S), we need 
to check whether the source node and the destination node are connected in the residual graph, which can be achieved via a 
Depth-First Search (DFS) algorithm (e.g., in |7|) with time complexity 0{\V\ + \£\). Based on the these results, we propose 
Algorithm 1 on the next page for computing the lower bound on ^jjf^- 

The time complexity analysis of Algorithm 1 is as follows: 

1. In step a), the time for calculating all xs is 0(7 * d^), where d^ is the time for matrix inversion by Gaussian elimination. 

2. In step b), in the worst case, we need to enumerate all the 7 submatrices. For each submatrix S, there are at most \£\ 
edges in F{S), and so we have to delete at most \£\ edges in graph Q = (V, £). The complexity for determining whether 
F{S) is a blocking set is 0(|V| + \£\). In sum, the time complexity of this step is 0{j * (|V| + \£\))- 
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Algorithm 1 Algorithm for computing a lower bound on jjjjjj 

a) For each d x d submatrix S of A'^, keep the matrix provided that it satisfies rank(5) — d and xs > 0. 

b) For each S that survives in a), calculate F{S), and determine whether F{S) is a blocking set. If yes, calculate val(S) = 
ijxg, else ignore S. 

c) Output 5* and xs that attain the minimum val(S). 



3 . With steps a) and b) together, the total complexity is 0(7*(i'^ + 7*(|V| + |f|)) = 0(|£|'*(|V| + |f|)), which is polynomial 
when d is a constant. 

XI. Tightness of the Lower Bound 

In this section, we discuss tightness of the lower bound on obtained by Algorithm 1. In Cai and Yeung fSl, a security 

condition for multi-source linear network coding was proved. This condition, stated in the next theorem, is instrumental in the 
discussion in this section. For the sake of completeness, we include a proof of this theorem. 

In the sequel, let Fq be a finite field of size q and F^ = Fq x Fq... x Fq. For a matrix A, we also write the number of rows 

^ V ' 

r 

and columns of A as mw{A) and col(74), respectively. 

Theorem 9. Let A and B be given matrices defined on F. Let M be a random vector with positive probability distribution on 
F^ and K be a uniformly distributed random vector on Fq. Let Y ^ A _B)^^^ and C = ( A B ^ and assume 

that rank(C) is equal to the number of rows of C. Then the following are equivalent: 

a) M and Y are independent, namely I{Y; M) = 0; 

b) rank(i?) = row(_B), or equivalently, rank(i?) — rank(C). 

Proof: "a) ^ 5)" Since rank(C) = row(C), we have 

row(C) < col(C). 

Then for each Y = y, the equation y = AM + BK has at least one solution, which means 

Pr(y = y)>0. 

Together with Pr(M = m) > and I{Y; M) = 0, we obtain that 

Pr(y = y,AI = m) = Pi-{Y = y)Pr(M = m) > 0, 

namely for each y and m, the equation y — Am + BK has at least one solution. Since BK = y — Am has at least one 
solution for arbitrary (y,m), we obtain rank(_B) = row(i?). 

"5) a)" Let W — AM, V = BK and r = rank(i?). Since K is uniformly distributed, V is uniformly distributed on 
Fq. Since row(y) = row(y), 

HiY) < log = H{V) H{BK). 

On the other hand, 

H{Y) ^ H{Y\M) + I{Y- M) 
> H{Y\M) 
= H{AM + BK\M) 
= H{BK\M) 
= H{BK), 

which means that H{Y) = H{BK) and the equality holds if and only if I{Y; M) = 0. ■ 

A. When the Best Lower bound is Zero 

In this case, the lower bound on is tight as we now show. By r = maxr(J) — 0, we obtain that for each blocking set 

J, t( J) = 0. In Corollary [51 by letting J be an arbitrary graph cut (VF, W^) of network Q = (V, S), we see that there exists an 
edge e G E{W, W) such that e is not contained in any wiretap set. Hence in Q ^ (V, £), if we delete all the edges which are 
contained in some wiretap sets, then the number of remaining edges in each graph cut is at least 1. By the max-flow min-cut 
theorem, there exists a path P from the source node to the destination node and all the edges in P are not contained in any 
wiretap sets. So we can send a message M along P without mixing it with a random key. For such a scheme, H{M) > 
and H{K) = 0, implying that the bound -^jjpr > is tight. 
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B. Point-to-Point Communication System 

In this section, we prove that in a point-to-point communication system, the lower bound on is tight. Consider such 

a system. Let s and u be the source node and the destination node, respectively. Let h be the number of edges from node s 
to node u and /i, I2, ■ ■ ■ , /d be the wiretap sets. 

and its dual as follows 



We now write the LP in 

Primal : min 
s.t 



Ajx > 1 



Dual ; max 
s.t 



(34) 



Since the primal has an optimal solution x* , by the strong duality theorem in linear optimization (Theorem [13] in the appendix), 
the dual also has an optimal solution y* and l^x* — l^y*. Next we prove that the lower bound on -^j^ can be achieved, 
namely there exists a code such that H{M) — {I'^y* — 1)H{K). 

Proposition 2. There exists an optimal solution y* such that all its entries are rational numbers. 

Proof: By Conclusion 1, there exists an extreme point y* which is optimal. This extreme point can be obtained by solving 
a particular set of linear equations, whose coefficients are rational numbers. Hence we conclude that y* is also rational. ■ 

Let y* = (ai/61, 02/62, ah/bh), where 0^,6^ G IN and gcd{ai,bi) — 1, 1 < i < h. Let g = lcm{bi, 62, bh), and 

Then l^y 



— g * ai/bi, Wi £ IN. Let Wamx — max Wi and w = Wi — g 



l<i<h 



i=l 



1 = J. Let M and K be uniformly 

distributed on F-J and F™, respectively. Next, we prove that there exists a linear code with transmission alphabet F = p'^^^^ 
such that H{K) = g and H{M) = w (where the logarithm is in the base q), and on each edge {1 < i < h), the codeword 
is a vector defined on F^\ By appending to the codeword a zero vector of length u;,„ax ~ Wi, the codeword becomes a vector 
in F. When Wi — 0, we transmit nothing on edge ej, so we can ignore edge e^. In the following, without loss of generality, 
we assume that w, > 0. 



Proposition 3. There exists a wiretap set I such that 



E 



Wi 



9- 



Proof: Since y* is a basic feasible solution of the dual problem in ( l34l i. we can find matrix C such that 



Cy* = 



On 



(35) 



where C is an invertible h x h submatrix of 



Ihxh 



and rii 



n-2 



(1,0,..., 0) G R is a feasible solution and 1 j/o = 1- Therefore, 1 y' 
l^y* = 0, a contradiction. Hence, ni > 0. Then we obtain from (|35] | that 



C 



/ 


Wi \ 




( ' \ 








9 


V 


Wh J 




[ ) 



h. In the dual problem, we can see that j/q ~ 
> l^yo = 1- If ni = 0, then y* = 0, so that 

(36) 



Letting / be the wiretap set that corresponds to the first row of C, we have ^ = ■ 

Without loss of generality, we can let the wiretap set / prescribed in Proposition [3] be Id = {et+i, et+2, • • ■ , eh}, so that 
the edges apart from those in Id are ei, 62, . . . , e*. Then for each li where 1 < i < d — 1, by Ajy* < 1 and y* = {wi/g, 
W2/g, . . ., Wh/g), we have 

J2 ""1^9 (37) 



for 1 < j < d - 
We assume 



1. 



M = 



/ mi \ 

1712 

\ mt J 



(38) 



where G F^^ (1 < « < i)- Let Bi (1 < i < h) he a Wi x g matrix defined on Fq to be specified later. Let the symbol 
transmitted on edge be 



(39) 
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where Y, e 1 < i < t, and let 



where 



Bt+2 



is the g X g identity matrix on Fq. Namely, for t + 1 < i < h, the symbol transmitted on edge is 

Y, - BJ<. 

Let Y be the symbols transmitted on all the edges. Then we can write 



(40) 



(41) 



(42) 



Y 



Y2 

Yt 

V Yi. J 
/ Di 

i:>2 



Bi 




/ 




\ 


B2 










Bt 






nit 




Bi, 


) 


V 


K 


J 



(43) 



... i 
V ... 

where Di, 1 < i < t, is the Wi x Wi identity matrix. 

For a matrix A, we denote the vector space spanned by the rows of A by rowspan(A). For each Ci (1 < i < h), let 
Vi = rowspaii(0, Di, 0, Bi) (the row space of the /th row in (|43]i). From the above construction, we have dim(T^) = Wi 

h 

for l<i<h and dim{Vi © V2 ® ■•■ ©^4) = E '>^f 

In the code we have constructed, we see from ( |39] l that the g symbols of the key K are sent on the edges in Id- Therefore, 
liYj^; M) = 0. The following lemma, which is a refinement of Lemma 3 in is instrumental for constructing Bi,l < i < t. 

Lemma 4. Let Vi, V2, Vm be vector subspaces on F^, and dmi{Vi) — di (1 < i < m). Ifd>0 and d+di < n (I < i < to), 
then for q > m, there exists a vector subspace V of FJ^, such that dim(l/) — d and dim(t^ © Vi) = A\ra{V) + dim(l/i) 
{l<i< to). 

Proof Let {61,62, ■••,6d} be a basis of V. For all 1 < i < to, let {vii,Vi2, ...,Vidi} be a maximally independent set of 
vectors in Vi. We construct {61, 62, 6^} by induction. It suffices to show that for 1 < j < d, if 61, 62, 6j_i have been 
chosen such that for a\\ Vi, 1 < i < m, 

bi, 62, bj^i,va,Vi2, Vid, (44) 
are linearly independent, then it is possible to choose bj such that for all 1 < i < to, 

61, 62, 6j-i, 6j , Wii, Ui2, Vid, (45) 

are linearly independent. Specifically, bj is chosen such that it is independent of the set of vectors in (|44] | for all 1 < i < to; 
i.e., 

bj e Fg \ Ui<i<,n{bi,b2,-.,bj^i,Vii,Vi2,...,Vidi). (46) 
Since the cardinality of a subspace in F^ is finite, we need to show that the set above is nonempty. 



l<i<m 

^ E 

l<2<m 



y (61,62, ...,6j_i,wii,wi2, ■■■,vid^) 

(61,62, ...,bj-l,Vil,Vi2, ■■■yVidi) 

l<i<m 

< '^""^ <d,+d< n) 

1< i < m 
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Therefore, 



U {bl,b2,—,bj-i,Vii,Vi2,...,Vidi) 



l<2<m 
n-1 



> g" — mq 

> 0, 

since q > m. Hence bj can be chosen for all I < j < m. ■ 
In the following, we construct Bi,l < i < t to satisfy the secure condition: for each wiretap set /, I{Yj;M) = 0. Since 
the symbols transmitted on the edges in wiretap set /; = {e^j , , e^, ^ , } (1 < i < d — 1) are 



Y 



/ . 
. 



D,,. 



V 

by Theorem |9] for each wiretap set (1 < i < (i — 1), if 



D 



( mi\ 

1712 
TTlt 

V K ) 



(47) 



(48) 



satisfies b) of Theorem |9] namely 



dim(ri) = row(r,;) = ^ row(B,;^ ) = ^ Wi- , 



(49) 



(50) 



then for li, the secure condition holds. 

For 1 < i < d — 1, we define matrix T° as follows: if D Id ~ {sji, ejj, Cj^}, then 



(51) 



V 5> / 



else Tf is the empty matrix. For each z, for 1 <l <t are defined inductively as follows: if ei € I^, then 



rj-il 



B, 



else 



rjnl rj-il — 1 



We can verify that for 1 < i < d ~ 1, the rows of T* are a permutation of the rows of Ti. Hence, (|50] l holds if and only if 

dim(y*) = row(i;*). (52) 

Now, we construct Bi,l < i < t one by one starting from Bi. For each I, 1 < I < t, we need to construct Bi such that 
satisfies b) of Theorem |9l i.e., 

dim(7^') =row(T;'), (53) 



for 1 < i < d - 1. 

Before we construct Bi, for wiretap set (1 < i < d — 1), since Bj^ is an identity matrix, if liCi Id 0, then 

j-.cjeiinid 

else dim(T°) = 0. For either case, (l53T l holds. 
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For Bi, row(i?i) — wi, and it is required that if ei e li, 

dim(T/) = row(7;i) 

= row(7;") +row(Si) 

^row{T°)+wi, (54) 
for 1 < i < d - 1. By (O, if ei G (1 < i < d - 1), we have 

row(T°) + wi = ^ Wj + wi 

< g. (55) 

By (|55T l and Lemma |4l we can construct a wi x g matrix i?i to satisfy ( |54] l. and hence ( |53T l is satisfied for / ~ 1. 

We assume that for a fixed I', where 1 < V < t — \, Bi, B2, Bir have been constructed so that ( |53] l is satisfied for 
!</</'. Then 

dim(i;'') = row(i;'')= "^3+ E (56) 

For Bi'+i, row(i?('+i) = and it is required that if e;/+i e 7^, 

dim(i;''+i) = row(i;''+i) = row(Tf ) + w^+i. (57) 

By (I37]i and (|56ll, if e;/+i e /», 

row(i;'') + = E + E 

j:ejehnla j:ejG/i, i</' + l 

< 5- (58) 

By Lemma|4]and ( fSSl ). we can construct a wj'+i x 17 matrix B/'+i such that dSTl i holds, and hence ( |53] ) is satisfied for / = /' + !. 
By mathematical induction, we can construct Bi,l < i < t. 

The decoding can be done as follows. We first obtain K from wiretap set Id- Then yi can be solved for all 1 < i < h and 
by (|39]l we obtain that mi = Yi - BiK for 1 < j < i. 



For the code we have constructed, H{M) = w and H{K) — g, so that ^pjy — 'J — ^^U* — 1 as desired. Hence the lower 
bound on ^jjp: by Algorithm 1 is tight. 



XII. Conclusion 



In this paper, we have obtained an upper bound on the size of the message and a lower bound on the size of the key for a 
secure network code on a wiretap network. The lower bound on the size of the key is obtained via a set of entropy inequalities 
by Madiman and Tetali [17|. Computation of this bound can be achieved in polynomial time, and it is tight for the special 
case of the point-to-point communication system. 



Appendix 
Linear Optimization 

In this appendix, we present some standard definitions and theorems in linear optimization taken from l|2l. 

Definition 6. A polyhedron is a set that can be described in the form {x e > b}, where A is an m x n matrix and b 

is a vector in R™. 

Definition 7. Let P be a polyhedron. A vector x £ P is an extreme point of P if we cannot find two vectors y,z £ P, both 
different from x, and a scalar X £ [0, 1], such that x ^ Xy + {1 — X)z. 

Definition 8. Let P be a polyhedron. A vector x G P is a vertex of P if there exists some c' such that cx' < c'y for all y 
satisfying y £ P and y ^ x. 

Definition 9. Consider a polyhedron P defined by linear equality and inequality constraints, and let x* be an element of KP". 
(a) The vector x* is a basic solution if: 

1) All equality constraints are active. 



17 



2) Out of the constraints that are active at x*, there are n of them that are linearly independent 
(b) If X* is a basic solution that satisfies all of the constraints, we say that it is a basic feasible solution. 

Theorem 10. Let P be a nonempty polyhedron and let x* e P. Then, the following are equivalent: 

(a) X* is a vertex; 

(b) X* is an extreme point; 

(c) X* is a basic feasible solution. 

Definition 10. A polyhedron P d R"' contains a line if there exists a vector x € P and a nonzero vector d € such that 

X + Xd Cz P for all scalars A. 

Theorem 11. Suppose that the polyhedron P = {x £ R^\a[x > bi,i = l,...,m} is nonempty. Then, the following are 
equivalent: 

(a) The polyhedron P has at least one extreme point. 

(b) The polyhedron P does not contain a line. 

(c) There exists n vectors out of the family ai, a™, which are linearly independent. 

Theorem 12. Consider the linear programming problem of minimizing dx over a polyhedron P. Suppose that P has at least 
one extreme point. Then, either the optimal cost is equal to —oo, or there exists an extreme point which is optimal. 

Theorem 13 (Strong duality). If a linear programming problem has an optimal solution, so does its dual, and the respective 
optimal costs are equal. 
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